I have been working as a security consultant for a few months now, and one finding that is on almost every webserver I come across, is the lack of an HSTS (HTTP Strict Transport Security) implementation. This is understandable, since HSTS is still fairly new. In fact, before starting at Accuvant, I had never heard of it either! However, since most browsers support it now, I wanted to be able to report on it. As of the time of this post, Nexpose does not have a finding for this item, but I believe Nessus does. To report on this finding, and provide a screenshot evidence to customers, we were often resorting to manually looking at the headers, or implementing home-made scripts to do it.

Wait, HSTS? What are you talking about?

When you visit a website over unsecured HTTP, it’s often considered a best practice to do a 302 redirect to the HTTPS site. That way, when browser users just type in the domain, it gets redirected to the secure site. When the “Strict-Transport-Security” header is added to the HTTPS response, the client then knows for a certain amount of time (based on the header’s value) to ONLY request the HTTPS version of the site. This can greatly reduce the chances of phishing.

One convenient thing that will occur with HSTS, is that even if you make requests to the HTTP version of the site, the browser will actually bypass that, and request straight from the HTTPS site. This prevents leaks that often occur with images, stylesheets, and scripts.

Get to the module already!

The crew over on the Metasploit team were really quick adding this module, which isn’t surprising since it was super easy to implement. I was honestly surprised that nobody had done it already. The code can be found here.

So how do I use this thing?

The usage is pretty simple. First, load up Metasploit and gaze at the ASCII-art: